FSS discovers unnecessary provision of personal credit information in examination
Refutes that illegal transfer through consignment and encryption
“Not a case of consignment… Consent required even with encryption”,
,
,
, ‘The Financial Supervisory Service (FSS) has discovered that Kakao Pay provided personal credit information to Ali Pay, its second-largest shareholder.’,
,
, ‘Kakao Pay provided personal credit information of all customers, including those who do not use overseas payments. From April 2018, a total of 54.2 billion cases (40.45 million people) of personal credit information were provided, including Kakao account IDs, phone numbers, emails, Kakao Pay subscription details, transaction history (balances, deposits, withdrawals, payments, transfers), etc.’,
,
, ‘Furthermore, for customers who used overseas payments, from November 2019, Kakao Pay provided 550 million cases of Kakao account IDs and order information (time, currency, amount, transaction type, etc.), payment information (time, currency, amount, payment method) each time they used overseas payments. FSS pointed out that Kakao Pay provided credit information of overseas payment customers to Ali Pay despite not requiring customer credit information for settling overseas payment dues.’,
,
, ‘There are three main points where the difference in stance between FSS and Kakao Pay is revealed: misuse of customer credit information, information transfer according to consignment, encryption of information and customer consent. While Kakao Pay claims there were no illegal or unauthorized actions in the process of providing personal credit information and that there are differences in legal interpretation, FSS finds it difficult to accept such claims.’,
,
, ‘Kakao Pay’s second-largest shareholder is “Ali Pay Singapore Holdings,” which holds a 32.06% stake. Ali Pay Singapore Holdings is an Ali Pay subsidiary of Ant Group, China’s largest fintech (finance+technology) company. Additionally, Kakao Pay is a early partner of Ali Pay’s global mobile payment service “Ali Pay Plus,” supporting overseas payments for domestic customers as well as domestic payments for overseas Ali Pay customers.’,
,
,
,
, ①Misuse of Customer Credit Information,
,
, ‘According to FSS on the 13th, through related materials, it stated, “Kakao Pay continues to provide (Ali Pay) with the credit information of all customers, raising concerns about the misuse of customer information.” FSS pointed out that Kakao Pay provided not only the personal credit information of customers targeted for information transmission, but also unnecessary information of all customers to a third party.’,
,
, ‘Kakao Pay provided the personal credit information to Ali Pay upon Apple’s request. When Apple requested customer-specific credit score (NSF) scores for its internal economic system, Ali Pay requested personal credit information from Kakao Pay under the pretext of NSF score calculation. In this process, FSS stated that Kakao Pay provided not only information of customers targeted for NSF score calculation but also information of all customers to Ali Pay.’,
,
, ‘Kakao Pay is adamant that it did not provide illegal information. A Kakao Pay official stated, “There seems to be contrasting viewpoints in legal interpretation.” and said, “We will clarify the specifics during the FSS investigation.”‘,
,
, ②Information Transfer According to Consignment,
,
, ‘In response to FSS’s criticism that personal credit information was passed on without customer consent, Kakao Pay explained it as a normal method of information transfer based on business consignment. The information transfer has been carried out through a consignment method based on the business consignment relationship between Kakao Pay, Ali Pay, and Apple. According to Kakao Pay, under the Credit Information Use and Protection Act, if personal credit information is transferred through consignment, customer consent is not required.’,
,
, ‘FSS, however, concluded that “the relationship between Kakao Pay and Ali Pay does not constitute a business consignment.” An FSS official told Asia Economy and TONG after phone calls, “For this case to be seen as consignment, electronic payment gateway (PG) companies like Ali Pay should be mainly involved in the calculation of NSF scores. Isn’t the general business of PG companies payment rather than NSF score calculation?” and stated, “Kakao Pay did not submit a business consignment agreement, nor was there evidence that they managed or supervised Ali Pay.”‘,
,
, “According to FSS, for it to be considered ‘credit information processing consignment,’ it must meet criteria like ▲the consignor (Kakao Pay) processing for their own business interests, ▲the consignee (Ali Pay) not having independent interests other than processing fees for consignment, and ▲processing under the management and supervision of the consignor.”,
,
, ③Information Encryption and Customer Consent,
,
, ‘Kakao Pay claimed that since they thoroughly encrypted personal credit information, customer consent was unnecessary. A Kakao Pay official stated, “We provided information that cannot be identified as belonging to anyone and that is absolutely impossible to decrypt, so it does not violate any credit information laws.”‘,
,
, ‘However, FSS points out deficiencies in Kakao Pay’s encryption method and asserts that even with meticulous encryption, customer consent is necessary. An FSS official stated, “Kakao Pay has not changed the function structure necessary for encryption to a level where decryption (reverting encrypted information to its original form) by the general public is impossible,” and said, “Unlike anonymous information (completely eliminating the connection to individuals to make them unidentifiable), in the case of pseudonymous information (information that cannot identify a specific individual without additional information), unless it is for statistical or research purposes, customer consent is necessary.”‘,
,
,